App Store - Failure in the process of purchase of 30 000 transactions

Applications to purchase more services iOS allow in-app (buy game levels or more capabilities of the application) without leaving the application itself. This function is in the news in the midst of developrs and is not the best reasons. It was discovered a flaw in the API that may have allowed more than 30,000 counterfeit sales.

The method was discovered by Alexey Borodin hacker who managed, by installing a certificate and changing DNS smartphone, you make purchases without any cost to reach your account. Initially, the hacker has created an online service, in-appstore.com that helped make the whole process to anyone who would participate in this illegality.

According to the hacker the process is simple, with a change of DNS and installing certificates can be intercepted in-app purchases on your server instead of Apple's server. The server returned the application to purchase a certificate making the application to think that the purchase was made ​​and that payment request was also charged to the customer's Apple ID.



However the method was not here, because the application could check the certificate of purchase and again in this case the server returned to intercept the request and return the answer is yes, the certificate was valid.

Of course these are bad news for developers who are seeing their sources of income affected by jugglers, as usual the application programmers offer free, limited, and after this, to offer more levels or more functions, calls its attribute to allow in-app purchase such levels and open the following functions. With these illegal "client" will never purchase another level / service or full version because it could "buy" for free.

Apple has released a statement which says the importance of security for its community of developers and says it is investigating the incident stating also that this method does not work for all applications that require in-app functions. The method itself is not impractical to because they are going to Russian hackers their ID's Apple to the servers in order to receive certificates, which we agree, will spend the gold to the villain, because who deliver their data personal, as their associated card numbers, addresses, etc. .....

At this point it is important to determine what measures developers will take to fix this flaw, because Apple will also be of interest to optimize this process in its API, keeping it as safe as possible so that in future such cases do not come back to cause damage and instability in the larger community of developers in the market today. [via]

 Published By: Pplware